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(54) Access control system and method 

(57) When a server receives a service request from 
a client, identifiers of a terminal and of a user are ac- 
quired from the service request and authority with re- 



spect to the service request is uniquely decided from the 
terminal and user identifiers acquired. It is then deter- 
mined, using the authority decided, whether or not to 
accept the service request. 
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Description 

This invention relates to an access control system 
and method, particular access control of a distributed 
system in which the resources of remote sites are 
shared using a computer network, by way of example. 

Access control in a distributed system generally is 
achieved by combining an authentication mechanism in 
the distributed system with a resource protection mech- 
anism at each site. For example, a distributed file sys- 
tem, which is a means of sharing files via a network, is 
used in a comparatively small-scale network environ- 
ment such as a local area network (LAN). In such case 
user authentication means at the site level is appropri- 
ated in the network environment as well by unifying 
modes of user management, and resource protection is 
achieved based upon the authority granted to authenti- 
cated users. The file access control means for imple- 
menting this generally is provided by the operating sys- 
tem (OS). 

In a comparatively large-scale network such as a 
wide-area network (WAN), on the other hand, use is 
made of authentication by an authentication system be- 
cause unifying modes of user management is difficult. 
In a large-scale network environment, opportunities to 
share resources per se are fewer than in a small-scale 
network. However, in terms of providing the mechanism 
eventually used as the resource protection mechanism, 
the situation is the same as in the case of the small-scale 
network environment. 

However, the following problems arise in the art de- 
scribed above: 

The first problem is that satisfactory reliability can- 
not be assured merely by applying the site-level user 
authentication mechanism to a distributed system. Even 
if modes of user management are unified between sites, 
no legal force is involved and a certain site is capable 
of individually altering some of the management infor- 
mation. In cases such as these, it is possible for a site 
administrator to impersonate a user and it is difficult for 
the resource provider to detect this. 

The second problem is that in a scenario in which 
the resource protection mechanism provided by the op- 
erating system (OS) is applied to distributed resources, 
ordinarily this is effective only at the site at which the 
resource protection mechanism is operating. Conse- 
quently, if there is an externally applied request for op- 
eration of a resource, the request must be dealt with 
based upon the rightful authority given to the site. How- 
ever, as long as users once authenticated possess the 
same authority, it is not possible to cope with a situation 
in which reliability or level of authorization differ depend- 
ing upon the site, even for the same user. 

Accordingly, an object of the present invention is to 
provide an access control system and method in which, 
when shared resources in a distributed system are ac- 
cessed, the shared resources can be protected safely 
and flexibly. 



According to one aspect of the present invention, 
the foregoing object is attained by providing an access 
control system for controlling access to a distributed 
system in which resources of remote sites are shared 

5 using a computer network, comprising acquisition 
means for acquiring an identifier of a terminal which re- 
quests a service and an identifier of a user, decision 
means for uniquely deciding authority over the service 
request based upon the terminal identifier and user 

10 identifier that have been acquired, and judging means 
for judging, using the authority that has been decided, 
whether or not to accept the service request. 

In another aspect of the invention, the foregoing ob- 
ject is attained by providing an access control system 

is for controlling access to a distributed system in which 
resources of remote sites are shared using a computer 
network, comprising relay means for acquiring an iden- 
tifier of a user requesting a service, intercepting the 
service request by transmitting, to a prescribed address, 

20 a service request message onto which the acquired user 
identifier has been added, and distributing a received 
message, and service providing means for acquiring as 
a user identifier an identifier added onto the received 
service request message, acquiring as a terminal iden- 

25 tifier an identifier of the relay means that transmitted this 
service request message, uniquely deciding authority 
over the service request based upon the terminal iden- 
tifier and user identifier that have been acquired, and 
judging, using the authority that has been decided, 

30 whether or not to accept the service request. 

According to the present invention, the foregoing 
object is attained by providing an access control method 
for controlling access to a distributed system in which 
resources of remote sites are shared using a computer 

35 network, comprising an acquisition step of acquiring an 
identifier of a terminal which requests a service and an 
identifier of a user, a decision step of uniquely deciding 
authority over the service request based upon the ter- 
minal identifier and user identifier that have been ac- 

40 quired, and a judging step of judging, using the authority 
that has been decided, whether or not to accept the 
service request. 

In another aspect of the invention, the foregoing ob- 
ject is attained by providing an access control method 

45 for controlling access to a distributed system in which 
resources of remote sites are shared using a computer 
network, comprising, in relay means for intercepting a 
service request and distributing a received message, a 
first acquisition step of acquiring an identifier of a user 

50 requesting a service and a transmission step of trans- 
mitting, to service providing means, a service request 
message to which the acquired user identifier has been 
added on, and, in the service providing means, a receiv- 
ing step of receiving a service request message, a sec- 

55 ond acquisition step of acquiring as a user identifier the 
identifier added onto the received service request mes- 
sage, and acquiring as a terminal identifier an identifier 
of the relay means that transmitted this service request 



2 



3 



EP 0 813 327 A2 



4 



message, a decision step of uniquely deciding authority 
over the service request based upon the terminal iden- 
tifier and user identifier that have been acquired, and a 
judging step of judging, using the authority that has been 
decided, whether or not to accept the service request. s 

In accordance with the present invention having the 
configuration described above, it is possible to provide 
an access control system and method in which, when 
shared resources in a distributed system are accessed, 
the shared resources can be protected safely and flex- 
ibly. 

Embodiments of the present invention will now be 
described with reference to the accompanying draw- 
ings, in which: 

Fig. 1 is a diagram illustrating an example of the 
configuration of a network environment according 
to an embodiment of the present invention; 
Fig. 2 is a flowchart showing an example of a pro* 
cedure through which a server processes a service 
request from a client; 

Fig. 3 is a flowchart showing an example of a pro- 
cedure through which a server processes a connec- 
tion request from a client; 
Fig. 4 is a flowchart showing an example of a pro- 
cedure through which a relay server processes a 
service request from a client; 
Fig. 5 is a flowchart showing an example of a pro- 
cedure through which a relay server processes a 
connection request from a client; 
Fig. 6 is a diagram showing a first example of a stor- 
age medium storing program codes according to 
the present invention; and 
Fig. 7 is a diagram showing a second example of a 
storage medium storing program codes according 
to the present invention. 

An access control system according to embodi- 
ments of the present invention will be described in detail 
with reference to the drawings. 

The embodiments described below relate to a dis- 
tributed system having a plurality of users, particularly 
a distributed system in which the authorities of individual 
users are managed uniformly even in a distributed en- 
vironment in which the modes of user management dif- 
fer from one site to another. 

[First Embodiment] 

Fig. 1 is a diagram illustrating an example of the 
configuration of a network environment according to an 
embodiment of the present invention. 

As shown in Fig. 1 , a group of terminals, described 
later, are connected to a network terminal 101 to con- 
struct a computer network. The computer network de- 
scribed here includes an Ethernet, a LAN using an FD- 
Dl, a WAN constructed by interconnecting networks by 
a public telephone line or leased line, etc. 



A server terminal 102 is a computer system such 
as a work station or personal computer run by an appli- 
cation provided in a distributed system. Client terminals 
103, 105, 106 are computer systems, which are similar 
to the server terminal 102, run by applications utilizing 
resources in the distributed system. An authentication 
server terminal 1 04 is a computer system, which is sim- 
ilar to the server terminal 102, run by an authentication 
server which provides an authentication mechanism in 
the network environment. The authentication serverter- 
minal 104 is provided by a Kerberos system, by way of 
example. 

These computer systems are assigned their own 
identifiers, which are acquired by communication be- 
tween any of the terminals. Further, the above-men- 
tioned server application, client applications and au- 
thentication server are items of software stored on an 
external storage medium such as a floppy disk, a hard 
disk, a magneto-optic drive (MO), a CD-ROM, a CD-R 
or a magnetic tape, or in any non-volatile semiconductor 
memory device such as a ROM or flash memory. When 
necessary the particular software is read in the memory 
possessed by the terminal and is then executed by a 
CPU with which the same terminal is provided. It is un- 
necessary to assign a dedicated terminal to the appli- 
cation software executed, and servers, clients, etc. may 
operate a certain terminal simultaneously. Further, the 
term "server" or ■client" is a generic term that relates to 
the role of the application concerning a prescribed serv- 
ice and does not necessarily have a fixed meaning in 
terms of an application. In actuality, a certain application 
may be a server with regard to a certain service or a 
client with regard to a different service. 

Fig. 2 is a flowchart showing an example of a pro- 
cedure through which a server processes a request from 
a client. The flowchart has a first step S201 , at which a 
terminal identifier is acquired from a service request 
sent from a client. The user identifier is then acquired 
from the service request at step S202. Here the process- 
ing for acquiring the user identifier employs authentica- 
tion means supplied by the authentication server. How- 
ever, an arrangement may be adopted in which the iden- 
tifier is acquired using means supplied in dependence 
upon the network environment, e.g. identity inquiry 
means in conformity with RFC1413 in the TCP/IP 
(Transmission Control/Internet Protocol) network envi- 
ronment. 

Next, at step S203, the corresponding authority of 
the server terminal is decided based upon the terminal 
identifier and user identifier acquired. If the requested 
service is to gain access to resources (e.g. files, devic- 
es, etc.) protected by the OS, the authority of the server 
terminal is an authority defined by the OS. If the request- 
ed service is a resource (e.g. shared data in a database 
management system) protected by the server, then the 
authority of the server terminal is an authority defined 
independently by the server. 

This is followed by step S204, at which it is deter- 
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mined whether the authority regarding the service re- 
quest is valid (whether the service request is within the 
limits of authority). If the authority is valid, then the serv- 
ice request is processed at step S205. Of course, if the 
authority regarding the service request is invalid (the 
service request is outside the limits of authority), then 
the service request is not processed. 

The details of processing at steps S203 and S204 
will now be described. 

If a subset of a quotient lattice decided by a certain 
equivalence relation is taken in a direct_product lattice 
of a set lattice corresponding to respective ones of the 
terminal identifiers and user identifiers, an ordered rela- 
tion in the quotient lattice will hold in this subset. A set 
M comprising all maximal elements is decided in relation 
to the ordered relation. On the other hand, take an ele- 
ment r of quotient lattices corresponding to the terminal 
identifier and user identifier obtained at steps S201 and 
S202. When there is one for which nror holds, where m 
is the element of M, the authority with regard to the re- 
quest is taken as being valid. 

In other words, it is assumed that the above-men- 
tioned equivalence relation, the set of maximal elements 
and a unique corresponding relationship from the max- 
imal elements to the authority of the server terminal 
have been obtained in advance with regard to each 
service. Then, at step S203, a equivalence class with 
regard to the terminal identifier and user identifier is de- 
cided. It is then determined at step S204 whether there 
is an ordered relation between this equivalence class 
and a series of maximal elements. 

Since all sets in the foregoing are equivalence sets, 
they are expressed by well-known means, such as a bit 
string. The equivalence relation, on the other hand, is 
means for converting the bit string to another, shorter bit 
string in accordance with rules given by declaration or 
procedurally. 

Abnormalities due to a variety of faults can occur at 
steps S201 and S202. In such case the element of the 
quotient lattice corresponding to the least upper bound 
of the direct product lattice relating to the terminal iden- 
tifier is substituted as the equivalence class at step S203 
in response to an abnormality at step S201 . The element 
of the quotient lattice corresponding to the least upper 
bound of the direct product lattice relating to the user 
identifier is substituted in response to an abnormality at 
step S202. The least upper bound of the quotient lattice 
is substituted in response to abnormalities at both steps 
S201 and S202. 

By way of example, in a case where a service pro- 
vided to a user group composed of prescribed users is 
restricted at a terminal connected to a prescribed net- 
work, the following is given as an equivalence relation: 
"whether or not the terminal is included in a sublattice 
of a direct product lattice decided by a set of identifiers 
of terminals connected to a specified network and a set 
of identifiers of users belonging to a specified user 
group 0 . In other words, the pair "whether or not the ter- 



minal is connected to a specified network" and "whether 
or not the terminal belongs to a specified user group" is 
given as the equivalence relation. 

As a result, the set of terminal identifiers and the set 

s of user identifiers are each split into two sublattices that 
do not overlap each other, whereupon there is obtained 
a quotient lattice of a direct product set comprising 16 
elements. This quotient lattice clearly is isomorphic to 
the direct product lattice of the quotient lattice relating 

10 to respective ones of the terminal identifier and user 
identifier. Accordingly, only one equivalence class cor- 
responding to all pairs of terminal identifiers and user 
identifiers which will accept a service request is decided 
in the above-mentioned quotient lattice. This equiva- 

15 lence class is made to correspond to the authority over 
a service by deciding a set of maximal elements in which 
this equivalence class is adopted as one element. By 
virtue of the foregoing operation, the equivalence rela- 
tion and the set of maximal elements regarding a serv- 

20 ice, as well as the corresponding relationship to the au- 
thority, are specified. In this setting, the pair of terminal 
identifiers and user identifiers obtained from the service 
request of the client corresponds to some equivalence 
class of the quotient lattice. However, acceptance of the 

25 request is limited to a case corresponding to an equiv- 
alence class employed as a maximal element. 

More specifically in accordance with this embodi- 
ment, since an equivalence relation in a set naturally 
corresponds to an equivalence relation in a set lattice, 

30 performing grouping with regard to terminals or users is 
nothing more than shrinking a large set lattice of ele- 
ments to a small quotient lattice. As a result, a quotient 
lattice possessing universality with respect to all quo- 
tient lattices used by a server exists, and any quotient 

35 lattice becomes a quotient lattice obtained by deciding 
a separate equivalence relation with respect to the quo- 
tient lattice possessing universality. The maximal ele- 
ments decided by the above-mentioned example in 
which there is a limitation upon services provided to a 

40 specified user group at a terminal connected to a spec- 
ified network correspond to a sublattice of the universal 
quotient lattice. Accordingly, this is equivalent to effects 
obtained in a case where, instead of making the setting 
in the above-mentioned example, use is made of an 

45 equivalence relation which determines a quotient lattice 
having universality and a set of maximal elements com- 
prising the least upper bounds of the sublattice of the 
quotient lattice. 

Thus, in accordance with this embodiment, objects 

50 which determine whether authority is given or not can 
be aggregated in arbitrary units. This makes it possible 
to establish access control in highly flexible fashion. 

Furthermore, in accordance with embodiments de- 
scribed below, it will be illustrated that the present in- 

55 vention is effective also in regard to supporting a distrib- 
uted environment in which user management modes 
are different More specifically, if all pairs of terminal 
identifiers and user identifiers regarding one and the 
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same user are regarded as being one equivalent, and if 
this is performed with respect to all users, then one 
equivalence relation will be obtained. The element of the 
quotient lattice obtained by this equivalence relation is 
decided, with regard to individual users, without relation $ 
to differences in the user management modes. Accord- 
ingly, the set of maximal elements may be decided re- 
garding the quotient lattice as being a universal quotient 
lattice, and a simpler quotient lattice may be decided us- 
ing a separate equivalence relation. Further, in order to 
inhibit illegitimate access from a terminal having poor 
security, it is also possible to adopt an arrangement in 
which the equivalence class regarding one and the 
same user is divided into two parts in conformity with 
the level of security, and weak authority is given to the 
equivalence class having the lower level. 

[Second Embodiment] 

An access control system according to a second 
embodiment of the present invention will now be de- 
scribed. In the second embodiment, elements substan- 
tially the same as those of the first embodiment are des- 
ignated by like reference characters and need not be 
described again. 

The procedure shown in Fig. 2 makes it possible, 
even for one and the same user, to arbitrarily set the 
level of authority in dependence upon the terminal uti- 
lized by this user. However, the above-mentioned pro- 
cedure is such that authentication processing regarding 
a user is executed with regard to all service requests, 
and problems in terms of efficiency arise in a case where 
a service request is issued repeatedly. Accordingly, in 
the second embodiment, from the standpoint that it will 
suffice to assure security below a so-called transport 
level, authentication processing is executed when the 
connection of a transport level is set. 

Fig. 3 is a flowchart showing an example of 
aprocessing procedure executed when establishing the 
connection of a transport level. 

At steps S301 through S303, a terminal identifier 
and a user identifier are acquired from a connection re- 
quest and the corresponding authority in terms of the 
server terminal is decided. This is similar to the process- 
ing of steps S201 and S203 shown in Fig. 2. It is deter- 
mined at step S304 whether the decided authority is val- 
id at the server. If the authority is valid, then the connec- 
tion request is accepted at step S305. Of course, if the 
authority that has been decided is not valid at the server, 
then the connection request is not accepted. 

The processing procedure for a service request in 
a case where a connection request is processed in ac- 
cordance with the procedure shown in Fig. 3 is modified 
to exclude the steps from S201 to S203 from the proce- 
dure of Fig. 2 and, in their place, retrieve the authority 
decided at step S303 from the service request. This 
modification of the procedure is easy to perform. Spe- 
cifically, it will suffice to record a pair consisting of a con- 



nection identifier and the authority and retrieve the au- 
thority from the connection identifier at step S305 when 
the service request is processed. It should be noted that 
the pair consisting of the connectbn identifier and the 
authority is destroyed autonomously at the server when 
the connection is broken. 

The processing of steps S303 and S304 is similar 
to the processing of steps S203 and S204 shown in Fig. 
2. However, rather than using settings relating to serv- 
ices, use is made of settings relating to a connection, 
namely an equivalence relation, a set of maximal ele- 
ments and a unique corresponding relationship from the 
maximal elements to the authority of the server terminal. 
As for the settings relating to a connection and the set- 
tings relating to a series of services, usually whatever 
satisfies the criteria in the former is selected so as to 
satisfy the criteria in the latter, although in general the 
two may be independent of each other. 

[Third Embodiment] 

An access control system according to a third em- 
bodiment of the present invention will now be described. 
In the third embodiment, elements substantially the 
same as those of the first embodiment are designated 
by like reference characters and need not be described 
again. 

In a distributed system of a certain type, a certain 
type of server (referred to below as a "relay server") is 
provided. Specifically, service requests issued by a plu- 
rality of clients simultaneously at client stations are sent 
to a server collectively by the relay server and messages 
sent from a server are distributed to the clients by the 
relay server. Such a configuration is very effective in a 
case where replicas of shared resources are held at the 
client terminals and in a case where messages from the 
server are sent to a series of clients in the manner of a 
broadcast. In a configuration of this kind, it is possible 
to simplify the procedure shown in Fig. 2 or Fig. 3, as 
will be described below. 

First, processing for confirming authority is per- 
formed between a server and a relay server in accord- 
ance with the procedure shown in Fig. 2 or Fig. 3. The 
reason for this is that a service which a server provides 
directly to a relay server differs from that provided to a 
client; the relay server provides a mechanism for inter- 
cepting a request from the client. Accordingly, steps 
S203 and S204 shown in Fig. 2 are executed based up- 
on setting relating to the service. Step S205, rather than 
being a step for processing a service request, is a step 
for processing a service intercept request. It should be 
noted that the service intercept request processing per 
se is executed in accordance with the procedure from 
step S203 onward in the first embodiment using a user 
identifier and terminal identifier of the relay server ob- 
tained through the procedure described below 

F^ig. 4 is a flowchart illustrating an example of a pro- 
cedure, which corresponds to Fig. 2, which a relay serv- 
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er executes with respect to each client in a distributed 
system of the kind set forth above. 

The flowchart has a first step S401 , at which a user 
identifier is acquired from a service request. Since a re- 
lay server and a client are operating one and the same 
terminal, the processing for acquiring the user identifier 
is capable of being executed securely and efficiently 
without using an authentication server or the like. 

Next, in a case where various settings relating to a 
series of services have been provided by a server, au- 
thority is decided at step S402 and the validity thereof 
with respect to the service request is discriminated at 
step S403. Steps S402 and S403 are for suppressing 
needless relaying of service requests. Though it is pre- 
ferred that this actually be carried out, it is possible for 
this to be omitted. 

Finally, service-request intercept processing is ex- 
ecuted at step S404. This processing involves transfer- 
ring, to the server, a message obtained by adding the 
user identifier acquired at step S401 onto the request 
message of the client. The user identifier added on is 
nothing more than a user identifier necessary in service- 
request intercept processing at the relay server. 

Fig. 5 is a flowchart illustrating an example of a pro- 
cedure, which corresponds to Fig. 3, which a relay serv- 
er executes with respect to each client. 

Step S501 in Fig. 5 is for acquiring a user identifier 
from a connection request in the same manner as at 
step S401 in Fig. 4. 

Next, in a case where various settings relating to a 
connection request have been provided by a server, au- 
thority is decided at step S502 and the validity of the 
decided authority is discriminated at step S503. Steps 
S502 and S503 are for suppressing needless relaying 
of connection requests. Though it is preferred that this 
actually be carried out, it is possible for this to be omit- 
ted. 

Finally, at step S504, the connection request is ac- 
cepted and the pair consisting of the connection identi- 
fier and user identifier received is recorded. 

Thereafter, the relay server subjects the accepted 
connection to processing for intercepting a sen/ice re- 
quest from a client. This intercept processing involves 
transferring, to the server, a message obtained by add- 
ing the user identifier recorded at step S504 onto the 
request message of the client. It should be noted that 
the pair consisting of the recorded connection identifier 
and user identifier is destroyed autonomously at the re- 
lay server when the connection is broken. 

[Fourth Embodiment] 

An access control system according to a fourth em- 
bodiment of the present invention will now be described. 
In the fourth embodiment, elements substantially the 
same as those of the first embodiment are designated 
by like reference characters and need not be described 
again. 



In the third embodiment, authentication of the relay 
server by a third party such as an authentication server 
may be omitted in a case where the security of the ter- 
minal being operated by the relay server is assured and 

s the relay server is a privileged process in the OS at this 
terminal. For example, in a TCP/IP network environ- 
ment, privilege is necessary in an address setting based 
upon a port number of No. 1 023 or less, depending upon 
the OS of the terminal. 

10 In accordance with this embodiment, the relay serv- 
er performs the address setting based upon a privileged 
port number, and the server verifies whether this ad- 
dress is one that has been set by the relay server, there- 
by making possible identity inquiry of the relay server 

is without relying upon third-party authentication means. 
Here simple verification means will suffice, such as 
means for performing regression transfer of any bit pat- 
tern selected randomly by communication using the 
above-mentioned privileged port. The reason for this is 

20 that as long as the security of the terminal is assured, 
an unlawful privileged process which sends back the bit 
pattern cannot exist. Of course, such means are haz- 
ardous in a WAN environment because the reliability of 
intervening signal paths cannot in general be assured 

25 but they are practical in many LAN environments used 
in offices or the like. 

[Other Embodiments] 

30 The present invention can be applied to a system 
constituted by a plurality of devices (e.g., a host com- 
puter, interface, reader, printer, etc.) or to an apparatus 
comprising a single device (e.g., a copier or facsimile 
machine, etc.). 

35 Further, it goes without saying that the object of the 
present invention can also be achieved by providing a 
storage medium storing program codes for performing 
the aforesaid functions of the foregoing embodiments to 
a system or an apparatus, reading the program codes 

40 with a computer (e.g., a CPU or MPU) of the system or 
apparatus from the storage medium, and then executing 
the program. In this case, the program codes read from 
the storage medium implement the functions according 
to the embodiments, and the storage medium storing 

45 the program codes constitutes the invention. Further, 
the storage medium, such as a floppy disk, hard disk, 
optical disk, magneto-optical disk, CD-ROM, CD-R, 
magnetic tape, non -volatile type memory card or ROM 
can be used to provide the program codes. 

50 Furthermore, besides the case where the aforesaid 
functions according to the embodiments are implement- 
ed by executing the program codes read by a computer, 
it goes without saying that the present invention covers 
a case where an operating system (OS) or the like work- 

55 jng on the computer performs a part of or the entire proc- 
ess in accordance with the designation of program 
codes and implements the functions according to the 
embodiment. 
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Furthermore, it goes without saying that the present 
invention further covers a case where, after the program 
codes read from the storage medium are written to a 
function extension board inserted into the computer or 
to a memory provided in a function extension unit con- 
nected to the computer, a CPU or the like contained in 
the function extension board or function extension unit 
performs a part of or the entire process in accordance 
with the designation of program codes and implements 
the function of the above embodiments. 

In a case where the present invention is applied to 
the above-mentioned storage medium, program codes 
corresponding to the flowchart described earlier are 
stored on this storage medium. More specifically, mod- 
ules illustrated in the example of the memory map of 
Fig. 6 or Fig. 7 are stored on the storage medium. 

Specifically, it will suffice to store program codes of 
at least modules of "identifier acquisition", "authority de- 
cision" and "validity judgment" on the storage medium 
or to store program codes of least modules of "identifier 
acquisition A", "identifier add-on" and "transmission" for 
relay means and program codes of at least "reception", 
"identifier acquisition B", "authority decision' and "valid- 
ity judgment" for service providing means. 

As many apparently widely different embodiments 
of the present invention can be made without departing 
from the scope thereof, it is to be understood that the 
invention is not limited to the specific embodiments 
thereof except as defined in the appended claims. 



Claims 

1 . An access control method for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 

an acquisition step (S201 , S202, S301 , S302, 
S401, S501) of acquiring an identifier of a ter- 
minal which requests a service and an identifier 
of a user; 

a decision step (S203, S303, S402, S502) of 
uniquely deciding authority over the service re- 
quest based upon the terminal identifier and us- 
er identifier that have been acquired; and 
judging step (S204, S304, S403, S503) of judg- 
ing, using the authority that has been decided, 
whether or not to accept the service request. 

2. The method according to claim 1 , wherein said ac- 
quisition step acquires the terminal identifier and 
the user identifier for every service request mes- 
sage. 

3. The method according to claim 1 , wherein said ac- 
quisition step acquires the terminal identifier and 
the user identifier when a connection is requested. 



4. An access control method for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 

5 

in relay means for intercepting a service re- 
quest and distributing a received message, a 
first acquisition step (S201 , S301 , S401 , S501 ) 
of acquiring an identifier of a user requesting a 
10 service and a transmission step (S201 , S301 , 

S401 , S501 ) of transmitting, to service provid- 
ing means, a service request message onto 
which the acquired user identifier has been 
added; and 

is in said service providing means, a receiving 

step (S202, S302) of receiving a service re- 
quest message, a second acquisition step of 
acquiring as a user identifier the identifier add- 
ed onto the received service request message, 

20 and acquiring as a terminal identifier an identi- 

fier of the relay means that transmitted this 
service request message, a decision step 
(S203, S303, S402, S502) of uniquely deciding 
authority over the service request based upon 

25 the terminal identifier and user identifier that 

have been acquired, and a judging step (S204, 
S304, S403, S503) of judging, using the author- 
ity that has been decided, whether or not to ac- 
cept the service request. 

30 

5. The method according to claim 4, wherein said first 
acquisition step acquires the user identifier for eve- 
ry service request message. 

35 6. The method according to claim 4, wherein said first 
acquisition step acquires the user identifier when a 
connection is requested. 

7. The method according to claim 4, wherein said sec- 
40 ond acquisition step acquires the terminal identifier 

of said relay means for every service-intercept re- 
quest message received from said relay means. 

8. The method according to claim 4, wherein said sec- 
45 ond acquisition step acquires the terminal identifier 

of said relay means when a connection is requested 
by said relay means. 

9. The method according to claim 4, wherein in a case 
50 where a service-intercept request is made using 

privileged resources at a terminal at which said in- 
tercept means operates, said service providing 
means accepts this service-intercept request. 

55 10. An access control system for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 



9. 

so 
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acquisition means for acquiring an identifier of 
a terminal which requests a service and an 
identifier of a user; 

decision means for uniquely deciding authority 
over the service request based upon the termi- s 
nal identifier and user identifier that have been 
acquired; and 

judging means for judging, using the authority 
that has been decided, whether or not to accept 
the service request. io 

11. An access control system for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: *5 

relay means for acquiring an identifier of a user 
requesting a service, intercepting the service 
request by transmitting, to a prescribed ad- 
dress, a service request message onto which 20 
the acquired user identifier has been added, 
and distributing a received message; and 
service providing means for acquiring as a user 
identifier an identifier added onto the received 
service request message, acquiring as a termi- 25 
nal identifier an identifier of said relay means 
that transmitted this service request message, 
uniquely deciding authority over the service re- 
quest based upon the terminal identifier and us- 
er identifier that have been acquired, and judg- so 
ing, using the authority that has been decided, 
whether or not to accept the service request. 

12. A computer readable memory storing program 
codes relating to access control of a distributed sys- 3$ 
tern in which resources of remote sites are shared 
using a computer network, comprising: 

a program code of an acquisition step of acquir- 
ing an identifier of a terminal which requests a 40 
service and an identifier of a user; 
a program code of a decision step of uniquely 
deciding authority over the service request 
based upon the terminal identifier and user 
identifier that have been acquired; and 45 
program code of a judging step of judging, us- 
ing the authority that has been decided, wheth- 
er or not to accept the service request. 

13. A computer readable memory storing program so 
codes relating to access control of a distributed sys- 
tem in which resources of remote sites are shared 
using a computer network, comprising: 

for relay means which intercepts a service re- ss 
quest and distributes a received message, a 
program code of a first acquisition step of ac- 
quiring an identifier of a user requesting a serv- 



ice and a program code of a transmission step 
of transmitting, to service providing means, a 
service request message onto which the ac- 
quired user identifier has been added; and 
for service providing means, a program code of 
a receiving step of receiving a service request 
message, a program code of a second acqui- 
sition step of acquiring as a user identifier the 
identifier added onto the received service re- 
quest message, and acquiring as a terminal 
identifier an identifier of the relay means that 
transmitted this service request message, a 
program code of a decision step of uniquely de- 
ciding authority over the service request based 
upon the terminal identifier and user identifier 
that have been acquired, and a program code 
of a judging step of judging, using the authority 
that has been decided, whether or not to accept 
the service request. 
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FIG. 2 



START 
(PROCESSING OF 
SERVICE REQUEST) 



S201 



S202- 



S203- 



ACQUIRE TERMINAL IDENTIFIER 
FROM SERVICE REQUEST 



I 



ACQUIRE USER IDENTIFIER 
FROM SERVICE REQUEST 



I 



DECIDE CORRESPONDING AUTHORITY 
OF SERVER TERMINAL 



S205- 




10 



EP 0 813 327 A2 



FIG. 3 
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FIG. 4 



S401 



S402— 



S404- 



START 
(PROCESSING OF 
SERVICE REQUEST) 



I 



ACQUIRE USER IDENTIFIER 
FROM SERVICE REQUEST 



I 



DECIDE CORRESPONDING AUTHORITY 
OF SERVER TERMINAL 




EXECUTE SERVICE-REQUEST 
INTERCEPT PROCESSING 



c 



I 



END 



12 



EP 0 813 327 A2 



FIG. 5 
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